Bboo file extension
.Bboo file extension is a file extension that uses the 205th version of the STOP ransomware to mark files that have been encrypted by it. Like other ransomware, Bboo virus is a malware that encrypts the victim’s files, and then demands a ransom for decrypting them. Fortunately for the ransomware victims, a team of security researchers created a free decryptor that can decrypt .bboo files. In addition to the free decryptor, there are several alternative methods that allow you to restore .bboo files to their original state (before encryption). Read more about this, as well as how to remove the virus and protect your computer from such ransomware below.
Bboo virus is new version of STOP (Djvu) ransomware. According to security researchers, this version is not much different from previous versions of STOP ransomware, such as Alka and Repp, which were widespread earlier. The ransomware virus is spread by websites offering to download freeware, key generators, activators, cracked games, torrents and so on.
Upon execution, Bboo creates a folder in the Windows system directory where it places a copy of itself and changes some Windows settings so that it starts up every time the computer is restarted or turned on. The virus collects information about the victim’s computer and then tries to establish a connection with its command server (C&C). If the connection has been established, then it sends information about the infected computer to the server, and in response receives the encryption key (the so-called ‘online key’) and additional commands and malware that must be executed on the victim’s computer. If the virus could not establish a connection with its command server, then it uses a fixed key (the so-called ‘offline key’).
Bboo virus encrypts files using a strong encryption algorithm and a long key (‘offline key’ or ‘online key’, as described above). The virus tries to encrypt as many files as possible, for this it only encrypts the first 154kb of the contents of each file and thus significantly speeds up the encryption process. Bboo has the ability to encrypt files on all drives connected to the computer: internal hard drives, flash USB disks, network storage, and so on. It skips without encryption: files located in the Windows system directories, files with the extension .dll, .lnk, .ini, .bat, .sys and files with the name ‘_readme.txt’. The remaining files located on the victim’s computer can be encrypted. For example, the following file types may be the target of ransomware attack:
.blob, .sid, .vtf, .mdf, .w3x, .syncdb, .srf, .rar, .zw, .slm, .cdr, .bkf, .wsc, .sum, .xyp, .sidn, .mov, .wbmp, .xdb, .xdl, .wpl, .re4, .hkx, .lrf, .mef, .ods, .itdb, .zif, .wire, .dwg, .eps, .zdb, .xbplate, .xbdoc, .odm, .xls, .menu, .asset, .ltx, .webp, .doc, .docm, .p12, .ntl, .1, .jpeg, .xlk, .mpqge, .d3dbsp, .dng, .y, .epk, .z3d, .wpe, .py, .cas, .sr2, .css, .xls, .ncf, .layout, .png, .0, .yal, .desc, .sav, .dbf, .vdf, .forge, .ppt, .gho, .zabw, .big, .csv, .hvpl, .dmp, .wbc, .ybk, .raw, .litemod, .wpw, .psk, .orf, .raf, .wp7, .bik, .iwi, .wpt, .mlx, .3fr, .ibank, .pst, .xmind, .apk, .mrwref, .cfr, .x, .tax, .wbz, .xx, .pdf, .zip, .dba, .wmv, .yml, .x3f, .pkpass, .pak, .icxs, .wpd, .x3f, .dazip, .2bp, .bc6, .vfs0, .upk, .gdb, .wbk, .wot, .wsh, .wdp, .pfx, .pptx, .wpd, .bc7, .hplg, .pptm, .bsa, .wma, .svg, .wmo, .txt, .rw2, .mddata, .wmv, .esm, .wotreplay, .cer, .rwl, .mp4, .lbf, .kdb, .xy3, .indd, .arch00, .der, .dxg, .t13, .ysp, .mcmeta, .xxx, .cr2, .ai, .wm, wallet, .sb, .wgz, .sidd, .wbm, .accdb, .jpe, .t12, .wav, .wp4, .m4a, .wpb, .wma, .odc, .ptx, .ws, .xlgc, .m2, .wb2, .wbd, .rgss3a, .7z, .odt, .mdbackup, .r3d, .snx, .xf, .vcf, .sis, .wps, .itl, .wpg, .pem, .flv, .crt, .hkdb, .psd, .wpa, .js, .xmmap, .webdoc, .wmf, .1st, .wp, .zip, .3ds, .nrw, .qic, .docx, .p7c, .itm, .db0, .wdb, .fsh, .das, .avi, .wsd, .wp5
Bboo encrypts file-by-file. Each file that has been encrypted will be renamed, the .bboo extension will be added at the end of its name. Thus, it marks all encrypted files. In every directory where there is at least one encrypted file, the virus places a file named ‘_readme.txt’. The file contains a message from Bboo authors. An example of the contents of this file is given below.
This message says that all files on the computer are encrypted and the only way to decrypt them is to buy a key and a decryptor from the authors of Bboo virus. That is, criminals demand a ransom for unlocking the victim’s files. The size of the ransom is $980, but if the victim is ready to pay the ransom within 72 hours, then its size is halved to $490. Attackers offer victims to verify that encrypted files can be decrypted. To do this, the victim must send them a small file to one of the email addresses specified in the ‘_readme.txt’ file. Of course, it is obvious that a single decrypted file cannot guarantee that after paying the ransom, the criminals will provide the victim with a working key and decryptor.
|Type||Filecoder, Crypto virus, File locker, Crypto malware, Ransomware|
|Encrypted files extension||.bboo|
|Ransom amount||$980,$490 in Bitcoins|
|Detection Names||Win-Trojan/MalPe37.Suspicious.X2050, Ransom:Win32/Kryptik.ea554157, Win32:TrojanX-gen [Trj], Gen:NN.ZexaF.34084.QG0@amcbw7dG, Win32/Kryptik.HATD, Trojan.TR/AD.InstaBot.hpf, Trojan.Stop.cq, Trojan-Ransom.Win32.Stop.ja, Ransom:Win32/STOP.BS!MTB|
|Symptoms||When you try to open your file, Windows notifies that you do not have permission to open this file. Your files have different extension appended at the end of the file name. Files named like ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. Ransom demanding message on your desktop.|
|Distribution methods||Spam or phishing emails that are developed to get people to open an attachment or click on a link. Drive-by downloading (when a user unknowingly visits an infected web site and then malware is installed without the user’s knowledge). Social media posts (they can be used to entice users to download malicious software with a built-in ransomware downloader or click a misleading link). Malicious webpages.|
|Removal||Bboo virus removal guide|
|Decryption||Bboo file decryption guide|
How to remove Bboo virus, Recover, Decrypt .bboo files
Security researchers confirm the words of the authors of Bboo virus. All files with the extension ‘.Bboo’ are encrypted and thus cannot be read and used. The only way to decrypt them is to use the key and the decryptor. Fortunately, there is some good news. As we already reported above, Bboo virus belongs to STOP ransomware family, which means that you can use the free decryptor created by Emsisoft to decrypt the encrypted files. Even if the decryptor does not help, there are some alternative ways that can help restore the contents of the encrypted files. To learn more about decrypting files, simply scroll down to section ‘How to decrypt .bboo files’. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.
- How to remove Bboo ransomware virus
- How to decrypt .bboo files
- Bboo file recovery
- How to protect your computer from Bboo ransomware
How to remove Bboo ransomware virus
Finding and removing Bboo ransomware components manually is very difficult, so we recommend using free malware removal tools. Moreover, it is desirable to use not one, but several utilities. Even if it seems to you that there is no ransomware on the computer, it does not mean anything. The virus may start encrypting the files again the next time you turn on or restart the computer. You must be completely sure that Bboo has been removed, and also that there is no other malware on the computer. Below we provide a list of recommended tools with brief instructions.
How to remove Bboo virus with Zemana
Thinking about remove Bboo crypto virus from your personal computer? Then pay attention to Zemana Free. This is a well-known utility, originally created just to scan for and uninstall malicious software, trojans and worms. But by now it has seriously changed and can not only rid you of malicious software, but also protect your PC from ransomware, malware and worms, as well as identify and delete common viruses and trojans.
Please go to the link below to download Zemana Anti Malware (ZAM). Save it to your Desktop so that you can access the file easily.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once downloading is done, close all software and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as on the image below.
When the install begins, you will see the “Setup wizard” which will help you install Zemana Free on your system.
Once installation is complete, you will see window as shown below.
Now click the “Scan” button to find Bboo crypto malware and other security threats. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. During the scan Zemana AntiMalware will search for threats present on your computer.
Once that process is finished, Zemana will display a list of all threats detected by the scan. Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Next” button.
The Zemana AntiMalware (ZAM) will uninstall Bboo ransomware virus, other malware, worms and trojans.
How to remove Bboo with MalwareBytes Anti Malware
If you’re having issues with the Bboo removal, then download MalwareBytes Anti Malware. It is free for home use, and finds and removes various undesired programs that attacks your computer or degrades PC system performance. MalwareBytes Anti Malware can remove adware software, potentially unwanted software as well as malicious software, including ransomware and trojans.
- Please go to the following link to download MalwareBytes Free. Save it on your Desktop.
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your web browser will display the “Save as” dialog box. Please save it onto your Windows desktop.
- When the downloading process is complete, please close all apps and open windows on your personal computer. Double-click on the icon that’s named mb3-setup.
- This will run the “Setup wizard” of MalwareBytes Anti-Malware (MBAM) onto your computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Anti-Malware will run and show the main window.
- Further, click the “Scan Now” button to search for Bboo ransomware virus related folders,files and registry keys. A system scan can take anywhere from 5 to 30 minutes, depending on your PC.
- Once the scan get completed, MalwareBytes Anti-Malware (MBAM) will show a screen that contains a list of malicious software that has been found.
- Next, you need to press the “Quarantine Selected” button. Once that process is complete, you may be prompted to reboot the personal computer.
- Close the AntiMalware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Use Kaspersky virus removal tool to remove Bboo ransomware
Kaspersky virus removal tool (KVRT) is free and easy to use. It can scan and remove ransomware, malware, potentially unwanted programs, spyware, adware, trojans, worms and other security threats. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the PC.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop from the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the KVRT screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to scan for Bboo crypto malware and other known infections. This procedure can take quite a while, so please be patient. While the Kaspersky virus removal tool utility is scanning, you may see number of objects it has identified as being affected by malware.
When the system scan is complete, KVRT will display a scan report like below.
All detected threats will be marked. You can remove them all by simply click on Continue to begin a cleaning task.
How to decrypt .bboo files
As we already reported above, files with .bboo extension are files that have been encrypted by Bboo virus. Their contents will remain locked until decrypted using the decryptor and the key. Fortunately, there is a free decryptor that can decrypt .bboo files. Below we provide instructions on where to download and how to use this decryptor.
To decrypt .bboo files, use free STOP (bboo) decryptor
- Download STOP (bboo) decryptor from the following link.
STOP Djvu decryptor
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
Unfortunately, at the moment, this decryptor is able to decrypt only files encrypted with an offline key, as Emsisoft found a way to identify this key. Files encrypted with an online key cannot yet be decrypted. The online key is unique to each infected computer, and at the moment there is no way to find this key. Of course, the authors of Bboo virus own this key, but we do not think that paying a ransom is the right way to decrypt .bboo files. In the case when the files are encrypted with an online key, there is a chance to restore the encrypted files using alternative methods, which are described below.
How to find out which key was used to encrypt files
Since Bboo decryptor only decrypts files encrypted with the offline key, each virus victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0205’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists “Personal ID”s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Bboo virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
If STOP (Bboo) decryptor displays message “Error: Unable to decrypt file with ID”, then two cases are possible why this happens:
- bboo files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- bboo files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
Bboo file recovery
As we mentioned above, in addition to using the free Bboo decryptor, there are several more methods for recovering encrypted files. These methods do not require the use of a decryptor and a key, and therefore are suitable for all cases when the virus used an online key, and for the case when the virus used an offline key. It is very important to check your computer for malware before you try to recover encrypted files. You must be 100% sure that Bboo virus is completely removed. To scan your computer for ransomware, use free malware removal tools.
Use ShadowExplorer to restore .bboo files
The Microsoft Windows has a feature called ‘Shadow Volume Copies’ that can help you to recover .bboo files encrypted by the ransomware. A small tool called ShadowExplorer will allow you to easily access the Shadow copies and restore the encrypted files to their original state. Unfortunately, the ransomware can delete these Shadow copies before it starts encrypting files. Therefore, if ShadowExplorer did not help you, then try another method, which is given below.
Click the following link to download ShadowExplorer. Save it on your Microsoft Windows desktop.
Category: Security tools
Update: September 15, 2019
When downloading is complete, extract the downloaded file to a folder on your system. This will create the necessary files as on the image below.
Start the ShadowExplorerPortable program. Now choose the date (2) that you want to restore from and the drive (1) you want to recover files (folders) from as shown in the figure below.
On right panel navigate to the file (folder) you wish to restore. Right-click to the file or folder and click the Export button as displayed on the screen below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to restore .bboo files
The last chance to restore .bboo files to their original state is using data recovery tools. We recommend a program called PhotoRec. It has all the necessary functions to restore the contents of encrypted files. It helped many victims recover data when it seemed like there was no more hope.
Download PhotoRec on your machine by clicking on the following link.
Category: Security tools
Update: March 1, 2018
Once downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder similar to the one below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as on the image below.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted files as shown on the image below.
Click File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, press Browse button to select where restored files should be written, then click Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed on the screen below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from Bboo ransomware
Most antivirus apps already have built-in protection system against the crypto virus. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the page linked below to download HitmanPro.Alert. Save it on your MS Windows desktop.
Category: Security tools
Update: March 6, 2019
When the download is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is started, you will be displayed a window where you can choose a level of protection, like below.
Now click the Install button to activate the protection.
This guide was created to help all victims of Bboo ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .bboo files; how to recover files, if STOP (Bboo) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Bboo related issues, go to here.